Security flaw allows stolen credit card use on digital wallets
What's the story
A recent study has revealed that popular digital wallets like Apple Pay, Google Pay, and PayPal could potentially be used to conduct transactions with stolen credit cards.
The research was conducted by a team of cybersecurity experts including Raja Hasnain Anwar and Muhammad Taqi Raza from the University of Massachusetts Amherst, and Syed Rafiul Hussain from Penn State.
Their findings were presented in a paper titled "In Wallet We Trust: Bypassing the Digital Wallets Payment Security for Free Shopping."
Security flaws
Researchers expose vulnerabilities in digital wallet security
The researchers uncovered critical vulnerabilities in the security protocols of major digital wallet apps and US banks.
They demonstrated how attackers could exploit weaknesses in authentication, authorization, and access control mechanisms to add stolen credit cards to their own digital wallets and make unauthorized purchases.
The study's lead author, Anwar, outlined a potential attack scenario where a thief, armed with a stolen credit card, could use publicly accessible databases to locate the victim's address, facilitating fraudulent transactions.
Authentication loophole
Attackers can bypass multi-factor authentication
The researchers highlighted that an attacker could bypass multi-factor authentication (MFA) by opting for a knowledge-based authentication (KBA) scheme.
This involves using the 'call-based' option to add the card to their wallet, where they provide KBA-related information like date of birth or last four digits of social security number.
Some KBA schemes only require one data point such as billing ZIP code, billing street address, date of birth, or last four digits of social security number.
Token issue
Token authorization allows continued access to stolen cards
The researchers found that canceling a stolen card does not prevent its use in digital wallets.
When a card is authenticated, the bank issues a token authorizing purchases which is stored in the digital wallet.
This token remains active even if the original card is canceled and replaced, allowing attackers to continue using it for transactions.
The study also revealed that banks do not require point-of-sale terminals in stores to verify the identity of the cardholder, further compounding this issue.
Transaction abuse
Recurring transactions and locked cards: A potential for abuse
The study also found that recurring transactions, such as monthly charges, are processed in a way that can be exploited.
An attacker can trick a merchant into tagging a transaction as "recurring," which will be processed even if the relevant payment card has been locked.
This is because banks allow recurring payments on locked cards to honor contracts between users and merchants, ensuring continuity of subscription services and avoiding negative credit events due to missed payments.